Computing and data entry devices are coupled by means of communications networks that facilitate communication between computing devices and users throughout the world. Communications networks may be of a variety of sizes, depending on the number of connected devices and the purpose of the network (e.g., whether it is for private, local, or general public use). Communications networks that are operated by Service Providers (SPs) or Internet Service Providers (ISPs) may be used to permit relatively large numbers of users to connect with remote servers hosting web-sites and with individual users. Such networks are inter-connected via circuits, where the size of a circuit determines the amount of data that can be transmitted or received during a specific time interval. The process used to facilitate communication between computing devices and users is known as “routing”. Routing occurs when data and/or a message are passed from a source to a destination over inter-connected networks.
While there are many beneficial aspects of communications networks, such networks may also be used for improper purposes. For example, such networks and computing devices may be the targets of, or used for, deviant or anti-social purposes such as malicious attacks on networks, computing devices, web sites, or network infrastructure elements. One such misuse or deviant use is that of perpetrating a Distributed Denial of Service attack (DDoS), which is the transmission of unwanted messages in such a quantity or crafted in such a way as to render a legitimate service unusable. Other types of (deviant/illegal) activity include attempts to obtain unauthorized access to confidential information (such as occurs in email “spamming”) or attempts to commit financial fraud, such as occurs as part of the practice known as “phishing”.
When such improper behaviors are detected or identified, there are several conventional approaches to addressing the attempts to commit such behaviors and/or mitigating their impact. Typically these approaches include one or more of:                Null Routing: redirecting traffic from the destination to a null address in memory, often called a “Black Hole” or “black hole routing”.                    While effective, this approach has a possible deficiency in that when malicious traffic volume is too great, the destination service provider may not have sufficient bandwidth or equipment capable of null routing all aspects (i.e., incoming messages) of the attack on their own;                        Reverse Proxying: the action of a cluster of systems serving as the front line of defense and operating to pass only known legitimate traffic to the destination. This may be effective, at least initially, but suffers from the following deficiencies:                    1) Depending on the type of attack, a proxy or cluster of proxy servers may not be able to handle the flow of traffic or the number of connections per second required to prevent the attack from overwhelming them and their ability to prevent the messages reaching their intended target; and            2) When malicious traffic volume is too great, the destination service provider may not have sufficient bandwidth equipment capable of null routing all aspects (i.e., incoming messages) of the attack on their own.                        Filtering: in specific types of attacks or situations of unwanted traffic where a connection oriented session occurs (i.e., when a server requires two-way communication), a system can filter known illegitimate source addresses or messages based on their content. While targeted, this may not be successful due to one or more of the following:                    1) Depending on the type of attack, a proxy or cluster of proxy servers may not be able to handle the flow of traffic or the number of connections per second required to prevent the attack from overwhelming them and their ability to prevent the messages reaching their intended target;            2) When malicious traffic volume is too great, the destination service provider may not have sufficient bandwidth equipment capable of null routing all aspects (i.e., incoming messages) of the attack on their own; and            3) Some types of content can be formatted to appear as legitimate traffic and may originate from a multitude of sources—in such cases, the method may not be effective.                        Scrubbing: this technique examines network packets in relation to their respective protocols, and only allows packets matching what would normally exist in the context of a specific connection or session. This approach may have one or more of the following deficiencies:                    1) Depending on the type of attack, a proxy or cluster of proxy servers may not be able to handle the flow of traffic or the number of connections per second required to prevent the attack from overwhelming them and their ability to prevent the messages reaching their intended target; and            2) When malicious traffic volume is too great, the destination service provider may not have sufficient bandwidth equipment capable of null routing all aspects (i.e., incoming messages) of the attack on their own.Note that in some respects, all of these conventional methods suffer from a common problem; that of being unable to respond properly and in a timely manner to a large enough volume and/or rate of malicious messages or data. Thus, all are effectively rendered less useful or in the end ineffectual if the amount of data used in an attack exceeds the capabilities of one or more of the routing devices, the processor's computing resources, or the bandwidth limitations of one or more of the circuits the data is carried over.                        
Embodiments of the invention are directed toward overcoming the disadvantages and limitations of conventional approaches to addressing the detection of and response times to attempts to carry out such illegal and/or undesirable activities, and solving the problems created by such activities, both individually and collectively.